security/hakurei.app
security/hakurei.app
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 4 Wiki Activity

update Qualcomm PSDS (XTRA) information

Browse Source
This commit is contained in:
Daniel Micay 2023-05-06 00:25:47 -04:00
parent a4d47678ef
commit ee561d858d
2 changed files with 25 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
static/faq.html
View File

@ -767,16 +767,11 @@
<article id="default-connections"> <article id="default-connections">
<h3><a href="#default-connections">What kind of connections do the OS and bundled apps make by default?</a></h3> <h3><a href="#default-connections">What kind of connections do the OS and bundled apps make by default?</a></h3>
<p>GrapheneOS makes connections to the outside world to test connectivity, detect <p>GrapheneOS makes connections to the outside world to test connectivity,
captive portals and download updates. No data varying per user / installation / device detect captive portals and download updates. No data varying per user /
is sent in these connections. There aren't analytics / telemetry in GrapheneOS.</p> installation / device is sent in these connections. There aren't analytics /
telemetry in GrapheneOS. By default, remote connections are only made to
<p>On 6th and 7th generation Pixels, GrapheneOS only connects to GrapheneOS GrapheneOS services and the network provided DNS resolvers.</p>
servers by default. On 4th and 5th generation Pixels, there's a single
non-GrapheneOS connection to download static files from a Qualcomm service
(PSDS, referred to as XTRA by Qualcomm) hosted on Amazon Web Services which
we're in the process of phasing out. We've already made changes to resolve a
serious privacy issue with this Qualcomm service.</p>
<p>Make sure to read the <a href="#other-connections">other connections</a> <p>Make sure to read the <a href="#other-connections">other connections</a>
section below this one too which covers non-default connections triggered by section below this one too which covers non-default connections triggered by
@ -870,33 +865,27 @@
<p>On 4th and 5th generation Pixels (which use a Qualcomm baseband <p>On 4th and 5th generation Pixels (which use a Qualcomm baseband
providing cellular, Wi-Fi, Bluetooth and GNSS in separate sandboxes), providing cellular, Wi-Fi, Bluetooth and GNSS in separate sandboxes),
almanacs are downloaded from almanacs are downloaded from
https://path1.xtracloud.net/xtra3grcej.bin https://qualcomm.psds.grapheneos.org/xtra3Mgrbeji.bin which is a cache
https://path2.xtracloud.net/xtra3grcej.bin, of Qualcomm's data. Alternatively, the standard servers can be enabled
https://path3.xtracloud.net/xtra3grcej.bin, in the Settings app which will use
https://path1.xtracloud.net/xtra3Mgrbeji.bin, https://path1.xtracloud.net/xtra3Mgrbeji.bin,
https://path2.xtracloud.net/xtra3Mgrbeji.bin and https://path2.xtracloud.net/xtra3Mgrbeji.bin and
https://path3.xtracloud.net/xtra3Mgrbeji.bin which currently (as of https://path3.xtracloud.net/xtra3Mgrbeji.bin. GrapheneOS improves the
October 2022) are hosted via Amazon Web Services. xtra-daemon sets a privacy of Qualcomm PSDS (XTRA) by removing the User-Agent header
custom User-Agent header with information on the device. GrapheneOS normally containing an SoC serial number (unique hardware identifier),
stops it from including any unique hardware identifiers and is in the random ID and information on the phone including manufacturer, brand
process of entirely disabling the User-Agent header to avoid sending and model. We also always fetch the most complete XTRA database variant
the device model, manufacturer, etc. to Qualcomm. We're hosting a (xtra3Mgrbeji.bin) instead of model/carrier/region dependent variants
similar PSDS cache for Qualcomm PSDS data and plan to use it by to avoid leaking a small amount of information based on the database
default once we implement support for switching between our servers variant.</p>
and Qualcomm's servers via the same toggle we use for the newer
Broadcomm GNSS Pixels.</p>
<p>Qualcomm Snapdragon SoC devices also fetch time from <p>Qualcomm Snapdragon SoC devices also fetch time via NTP from
time.xtracloud.net via NTP rather than using the OS time. Stock Pixel time.grapheneos.org when using the default GrapheneOS PSDS servers or
OS overrides this to time.google.com but we use the standard server the standard time.xtracloud.net when using Qualcomm's servers. Stock
like other Snapdragon devices. It's technically incorrect to use the Pixel OS uses time.google.com but we follow Qualcomm's standard
time.google.com server for this due to non-standard leap second settings to match other devices and to avoid the incompatible leap
smearing not expected by the Qualcomm GNSS implementation. This could second handling. These connections all go through the Owner VPN so it
be avoided by using OS time instead but Qualcomm built it this way to isn't a real world fingerprinting issue.</p>
avoid GNSS-based location being crippled by having time set wrong in
the OS.</p>
<p></p>
</li> </li>
<li> <li>
<p>Connectivity checks designed to mimic a web browser user agent are performed <p>Connectivity checks designed to mimic a web browser user agent are performed

3
static/features.html
View File

@ -672,9 +672,10 @@
<ul> <ul>
<li>Connectivity checks</li> <li>Connectivity checks</li>
<li>Attestation key provisioning</li> <li>Attestation key provisioning</li>
<li>GNSS almanac downloads (PSDS) on 6th generation Pixels</li> <li>GNSS almanac downloads (PSDS) for Broadcom and Qualcomm (XTRA)</li>
<li>Secure User Plane Location (SUPL)</li> <li>Secure User Plane Location (SUPL)</li>
<li>Network time</li> <li>Network time</li>
<li>Vanadium (Chromium) component updates</li>
</ul> </ul>
<p>We provide a toggle to switch back to Google's servers for connectivity <p>We provide a toggle to switch back to Google's servers for connectivity